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Policies, User Groups, and Information Sets 230? 


DBUsersFile 23Q7 


Describes policy application from the User Group viewpoint. 
Maps each DB UserGroupID to a list of ResourceGrouplDs with 
flags that indicate whether the policy that relates each pair is an 
allow or deny policy. 


DBUsersTreeRle 


Describes the user groups tree as a flattened array. Maps each 
DB UserGrouD ID to a list of UserGrouplDs for parent user 
groups 


DBResourcesRIe P qnq 

coy 


Describes policy application from the Resource Group (informa- 
tion set) viewpoint. Maps each DB ResourceGroupID to a list 

nf 1 Icorf^rmminc u/ith flanc that inriif^atp whpthpr thp nnlirv that 
Ul Uot^i OfUiipiUo Willi llayo uidi uiuiwaic wiicuici me puiiuy mat 

relates each pair is an allow or deny policy. 


UunCSOurctJo 1 1 tfcr lit? 


nocrriHoc fho rocAitrro nrmmc trpp aq a flaHpriPti array ManQ 
UooLNUco UIC IcoUUiLc ylUUJJo lice ao d llallCllCU allay. mayo 

each DB ResourceGroupID to a list of ResourceGrouplDs for 
parent information sets. 




User Identification Information 231 1 


uoirnangesriie 


IP Pannoe riata Mane frnm IPRannpHpfin tn thp IP ranflP rtata 
If rid i ly co Udld. lYidJJb iiuiii ir naiiycL/ciiw iu uiu ir lanyc uaia. 


DBDomainsRIe 


IP Domain data. Maps from DomainDefID to the IP domain data. 


DBCertificatesRIe 


Certificate data. Maps from CertificateDefID to the certificate 
data. 


DBWindowslDRle 


_ - m — fc _ _ « ft * ** ■ ft^ #ft tfhft. A ■ ft • ft ft ftV^ 

Windows ID data. Maps from WindowDefID to the windows ID 
data. 


DBSmartCardlDRIe 


Smart card (authentication token} data. Maps from Smartcard- 
DeflD to the authentication token data. 


DBIPRangesByUserGroup 
Rle 


Relates IP range matching cntena to user groups. Maps irom IP 
Range data to UserGrouplDs. 


DBDomainsByUserGroup 
Rle 


Relates IP domain matching cntena to user groups. Maps from 
IP Domain data to UserGrouplDs. 


DBCertificatesByUserGroup 
Rle 


Relates certificates to user groups. Maps from certificate data 
to UserGrouplDs. 21Q1 


DBWindowslDByUserGroup 
Rle 


Relates Windows IDs to user groups. Maps from Windows ID 
data to UserGrouplDs. 


DBSmartCardlDByUser 
GroupRle 


Relates Smart Card (authentication token ) data to user groups. 
Maps from authentication token data to UserGrouplDs 
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Servers, Services, and Information Resources 2313 


DBResourcesByServerlDRIe 


Relates servers to resources. Maps from ServerlDs to 
ResourcelDs for resources held on the server identified 
by the ServerlD. 


DBResourcesByServicelDRIe 


Relates services to resources. Maps from ServicelDs to 
ResourcelDs for resources belonging to the service identified 

uy it 16 oci viucila 


DBnesourceiubyoerviceiurHe 


Pni^tpc cpn/irpQ tn their information resources Maos from 
Service© to ResourcelD. 


DBResourceiUDyNarnenie 
2315 


Relates the IP names fURLs) of resources to resource IDs. 

llCIQlww' U Iv II liailluO V 1 1 LvW J Wl IWWVMIVWW \\J ■ www w» WV IWTWa 

Maps from URL to resource ID. 


DbnGSOUrCBSDynesourcciuriic 
2312 


Relates resources to information sets Maos ResourcelD to 
Resource Grouplds. 




Servers, Services, IP Information, and Proxies 2319 


DBServerlDBylPRIe 


Relates IP addresses to servers. Maps IP addresses to 
ServerlDs. 


DBServerlDByNameRle 


Relates IP names to servers. Maps the IP FQDN (fully quali- 
fied domain name) for each server to its ServerlD. 


DBIPAndTypeByServerlDRIe 


Relates servers to their locations inside or outside to the VPN. 
Maps ServerlD to the server's IP address and a flag indica- 
tinn whether the address is inside or outside the VPN. 

Ul |VJ IfllvU Iwl u Iw QUUI www W II Iwlvw w« w Uiw I w w uiw »■ ■ »• 


DBServicelDByPortRle 


Relates services to their port numbers. Maps from ServicelD 

tn nnrt number 

11/ yt\Ji l f 111 J i luvi • 


DBServicelDByServerlDRIe 


Relates servers to ports for services. Maps from ServerlD to 
a list of port numbers. 


DBServicePortToProxyPortRle 


Relates service ports to the ports for their proxies. Maps from 
service port number to proxy port number. 


DBProxylDByServerlDRIe 


Relates servers to service proxies. Maps from ServerlD to 
Proxy DeflD. 


DBProxyParametersRIe 


Relates proxies to configuration data for the proxies. Maps 
from ProxyDeflD to options data 
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Access Rlter Information 2321 


DBAttachedNetworksBylPFile 


Relates network interfaces In the access filters to information 
for the interfaces. Maps from the interface's IP address to in- 
terface information. 


DBAllachedNetworksByServer 
IDFile 


Relates access filters to their network interfaces. Maps from 
ServerlD for the access filter to interface information. 


DBRoutingTableRIe 


Describes the IP routing information for all of the access filters. 
One block of information. 


DBRoutingTableByServerlDFile 


Relates access filters to their IP routing information. Maps 
from ServerlD for the access filter to IP routing information. 


DBPointToPointRle 


Relates a point-to-point description of a network path to data 
for the path. Maps from PointToPointID for the path to the 
associated data. 




SEND Information 2223 


DBTrustTableRle 
2325 


Implements the SEND table. Maps from TrustDeflD, indicating 
a trust level, to AuthenticationlDs for user identification tech- 
niques and EncryptionlDs for encryption techniques. 


DBCertificateAuthoritiesFile 


Relates identifiers for certificate authorities to their data. Maps 
from CertificateAuthoritylD to associated data. 


DBTrustAuthenticationsRIe 


Relates AuthenticationlDs to information about identification 
techniques. Maps from AuthenticationID to identification 
tecnnique information. 


DBTrustEncryptionsRIe 


Relates EncryptionlDs to information about encryption tech- 
niques. Maps irom tncrypuoniu 10 encryption type ana 
strength information. 




IntraMap Information 2422 


DBJavaSiteTable 


Maps from names of locations to LocationlDs. 


DBJavaResourceTabte 


Maps from URLs of resources to their ResourcelDs, 
LocationlDs, and hidden flags. 


DBJavaResourcesSetTable 


Maps from names of information sets to ResourceGrouplDs, 
a list of ResourcelDs tor an resources contained in tne 
information set, and a list of ResourceGroupslDs for all of the 
information set's parents. 
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Schedule Rule 



r Schedule Valid: - 
©All Day 



3203 



©Starts: 1 5:00 PM g Ends: 



9:00 PM 



a 



Description £ 



On selected days of week: 




B Mo EIu E We ETh E Fr 


□ Sa nau 


B Weekdays 

~ 3205 


□ Weekends 


□ Exclude Holidays 


□ Holidays 


ri 3207 

© Every weekj 


©Every 2 gj Weeks starting on 


1 6/23/99 § 


© On selected week of month: 




□ 1st □ 2nd □ 3rd 


□ 4th □ Last 


©All year 3209 




©On selected months 




□ Jan BFeb CMar OApr 


□ May DJun 


□ Jul DAug OSep COct 


□ Nov □ Dec 



OK 



Cancel 



Holidays 



Help 



Advanced « 



3211 



3201 

Fig. 32 
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Policy Properties 
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O 

~ "u 



User Group: {Corporate 



Information Set: 



Corporate 



pPolicy 

© Allow 

O Deny 



r-State 



© Active 
O Inactive 



Comment 



! Corporate access to corporate information 



n Valid Between: 



□ Start Date 

□ End Date 



B 



EI 



Schedule Name 



Business Hours 



3 



Fig. 33 
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Attribute Label E 


pAttribute Label " 


OK I 


Attribute Label: | Medium 


Control J 


Description: | Medium priorty traffic 


tielp | 


Label Precedence: |16| 3603 j 








-Associated Feature 


3605 | 


Feature: | Bandwith Izll 


Value 1 : | 64000 




Value 2: |~ 


Feature Properties |_X 3607 







3601 



Fig. 36 
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Attribute Feature 



Class: 
Name: 
Description: 
Value Type: 
Feature Precedence 
Value Precedence: 
Restrictions: 



3703 "^ {Quality of Service" 

3705 "X ]TrTority' 

3707- — 



^ | Bandwidth Priority" 



| Pair 



3711 



| None 
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Web server or 
Application 
3803 



dossier 3604 



Load -balancing 
(LB) Policy Plug- 
In (PPI) 
3805 




3811 



Auth Form 
(by type) 
3807(i) 



Local 
Configuration 
Information 
3B09m 



2609 



to other Policy Servers 



Access query 
javal info, returns eval resutt. - 



cookie, and/or dosstar) 



2036 




VOB Service 
3813 



I 



2617 



L_ 



I 



identity, 
attribute info 
3623 



DLL name 
DLL function 

3327 auth info 



nime/val pairs 3815 



i uth type, auth info, 
lame/val pairs 3821 



Auth 
Coordinator 
3B29 



Cookie 
Manager 
3817 



Signer/ 
Validator 
?819 
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3843(a..n) 
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<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML/ /EN"> 
<html> 



<head> 

<meta content^" text /html; charset=unicode" http- 

equiv=" Content-Type "> 

<! — #include f ile="psquery . inc" — > 

<title>Policy Query Example</title> 

</head> 



<body> 

<hl>Conclave Policy Enabled Page</ hl> 



<% 



3903 



if W&MW^M^^MWmW ^^M = "Yes" then 
•Put the allowed action here 

Response. Write "<p>You f ^e been allowed to this 
page.</p>" 
else 

'Put denied action here 

Response. Write "<p>Y^u^ve been <b>denied</b> to this 
page .</p>" 
end if 

%> 




3905 



3907 



<p>  </p> 
</body> 
</html> 



3901 



FIG. 39 
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<% 

•%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
•% File: psquery.inc 
•% Perform Policy Server 

*% Query against the current page 

• %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
Function ConclavePolicyAllowed! 

dsn = "ConclavePolicyServer' 

dbuser = "anyone" 

dbpass = "anything" 



io i 

irver" L 



4003 



•default to not allowed 
ConclavePolicyAllowed = 



•No' 



> 



4005 



•Get the session variables for the query 

sourcelP =* Request . ServerVariables ( "REMOTE^ ADDR" ) 

destIP = Request . ServerVariables ("LOCAL_ADDR") 

destPort = Request . ServerVariables ( "SERVER_PORT" ) 

resource « Request . ServerVariables ( "URL" ) 

' remove any prepended slash on the URL 
if left (resource, 1) = "/" then 
if resource <> then 

resource = mid ( resource , 2) 

end if 

end if 



•Construct the SQL query 

dbsql = "SELECT IsAllowed FROM PolicyEval WHERE" _ 
& " SourcelP - * " & sourcelP & "'" _ 
& " AND DestinationIP = •" & destIP & 1 
& " AND SourcePort - 0" 
& " AND DestinationPort » " & destPort 
& " AND Resource « ' " & resource & " f " 
& " AND IncludeIdentityStore=' Y' " 
& " AND AskClientForldentities = , Y f " 



4007 



4009 



Set Conn = Server .CreateObject ("ADODB .Connection" ) 
Set rs = Server. CreateObject ("ADODB. RecordSet") 
Conn. Open dsn, dbuser, dbpass 



} 



4011 



RS.Open dbsql, Conn 



4013 



if Conn. Errors. Count =» 0 then 
if Not RS.EOF then 

ConclavePolicyAllowed = RS(0) 

end if 

end if 



4015 



RS. Close 

Set RS = Nothing 
Conn. Close 
Set Conn = Nothing 
End Function 

%> 



4017 



3903 



FIG. 40 
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POLICYEVAL : Table 



PoScySet 
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Application 
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SELECT IsAllowed/ PolicySet, HasExpireTime, ExpireTime, Reason from 
PolicyEval 

WHERE SourcelP = ' 172 . 31 . 1 . 31 f 

AND SourcePort - 0 

AND DestinationIP - • 172 . 31 . 1 . 32 ' 

AND DestinationPort - 80 4203 
AND EncryptionAlg - 64 
AND AuthenticationAlg » 2 
AND IPProtocol = 6 

AND EvalTimeStamp = *07-JUL-1999 13:39:34' 

AND Resource = 'Conclave/ConclaveEval ■ html \ , 





PolicySet 


HasExpireTime 


ExpireTime 


Reason 


Y 


56 


N 


1969-12-31 16:00:00 


None 



42Q1 



4205 





SELECT IsAllowed/ Reason from PolicyEval 






WHERE SourcelP « 1 172 . 31 . 1 - 31 1 




T 


AND SourcePort » 0 






AND DestinationIP = ■ 172 . 31 . 1 . 32 ' 




Q 


AND DestinationPort - 80 






AND EncryptionAlg = 64 






AND AuthenticationAlg = 2 


4209 




AND IPProtocol = 6 




AND EvalTimeStamp = *07-JUL-1999 13:39:34' 






AND Resource = • Conclave/ConclaveEval . html ' 





nJ 
i y 



IsAllowed 


Reason 


Y 


None 



4201 



4211 



SELECT * from PolicyEval 




WHERE SourcelP = 9 172 . 31 . 1 . 31 ' 




AND SourcePort - 0 




AND DestinationIP » ■ 172 . 31 . 1 ■ 32 9 




AND DestinationPort = 80 


4213 


AND EncryptionAlg = 64 


AND AuthenticationAlg - 2 




AND IPProtocol = 6 




AND EvalTimeStamp = *07-JUL-1999 13:39:34' 




AND Resource - ■ Conclave/ConclaveEval . html 1 





421i 



SELECT IsAllowed, PolicySet, HasExpireTime/ ExpireTime, Reason from PolicyEval 
WHERE SourcelP = •172.31.1.31' 

AND DestinationIP - '172.31.1.32* 4217 
AND Resource = 'Conclave/ConclaveEval . html 1 



Is Allow 
ed 


PolicySet 


HasExpireTi 
me 


ExpireTime 


Reason 


Y 


56 


N 


1969-12-31 
16:00:00 


None 
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FIG. 42 
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SELECT IsAllowed, Reason, IdentType, IdentGroup, IdentValue from 
PolicyEval 

WHERE SourcelP = • 172 . 31 . 1 . 31 ' 

AND DestinationIP - • 172 . 31 . 1 - 32 ' 4303 
AND Resource = ' Concla ve/ConclaveEval . html ' 



4301 
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Reason 


IdentType 


IdentGroup 


IdentValue 
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Allowed by Certificate 


CERTIFICATEDN 
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/0=XYZ 
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Allowed by Certificate 


CERTIFICATEDN 


1 


/OU=Engi neering 


Y 


Allowed by Certificate 


CERTIFICATEDN 


1 


/CN=JoeUser 



4305 



SELECT IsAllowed, Reason, IdentType, IdentGroup, IdentValue from 
PolicyEval 

WHERE SourcelP = ' 172 . 31 - 1 . 31 ■ 

AND DestinationIP = '172.31.1.32' 4309 
AND Resource - • Conclave/ConclaveEval .html 1 
AND IdentType = *Certif icateDN' 

AND IdentValue « VO=XYZ/OU=Engineering/CN=JoeUser' 



4307 
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Y 


Allowed by Certificate 


CERTIFICATEDN 


1 


/CN=JoeUser 
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SELECT IsAllowed, Reason, IdentType, IdentGroup, IdentValue from 
PolicyEval 

WHERE SourcelP - '172.31. 1.31' 
AND DestinationIP = ' 172 . 31 . 1 . 32 ■ 
AND Resource - 1 Conclave/ConclaveEval .html 1 
AND IncludeldentityStore = % Y' 



4315 



4313 
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1 


/CN=JoeUser i 



4317 



SELECT IsAllowed, Reason, IdentType, IdentGroup, IdentValue from 
PolicyEval 

WHERE SourcelP - 1 172 . 31 . 1 . 31 1 
AND DestinationIP = '172.31.1.32' 

AND Resource = • Conclave/ConclaveEval .html • 4321 
AND IncludeldentityStore - % Y' 

AND IdentType NOT IN ( »WindowsID' , ' Radius' , ' IP' ) 
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User requests web page 
through browser 

4503 . 
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web server 

passes 
session to 
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4505 
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connection from Load 
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PS (w/ cookie if 
available) 

4507 



evaluator 
allows access 
4509 
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mi 
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n 4519 



"Maybe" case: 
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types 

4520 



I 



plug-in 
displays auth 

form for 
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4521 
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4523 
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PS performs all auth 
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PS passes result 
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'3 Conclave Authentication Using LDAP Bind - Microsoft Internet Explorer 



• ::^M^^^^0M^ mm* ■ 



[Q http: //pluto. inter dyn. com/B indN eptune. html 




Authenticating Web Server 



In order to gain access to the resource you 
requested 

(Bii^r^ur^JT4ml&GET&192.168.36^l7&pJLrtojnterdynx«m&80a0^ 
you are required to provide the system 
with the following information. 



User ID: |fred 



Password: jj* "" 
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FIG. 51 
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select Cookie, IdentitylsValid, IsAllowed, reasoncode, 

maybelist , cookiemodif ied 
from policyeval 

where sourceip= 1 192 . 168 . 36 . 215 1 and 
application^ 1 WS 1 and 

resource= ' BindNeptune . html &GET&1 92.168.36.217& 

pluto. interdyn.com&SO&O' 
and includeeval= 1 Y 1 and 
includeidentitystore= f Y 1 and 
askclientf oridentities='N • and 

identity= f AUTHPOSTIDENTITY IDENTTYPE="LDAP Bind 
ORIGINALURL="BindNeptune . html&GET 
192 . 168 . 36.217&pluto.interdyn.com&80&0"& 
A[)THTYPF ,= ,,Tn ^ B i nd " & U S E R= " f r e d " & PW D= " a g e n 
SUBM*Tl="Log in wl 
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FIG. 52 
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/&OOkie=CONCLAVE=COOKIEIDENTITY=COOKIEIDENTITY%2 6AUTHTYPE% 
3D%22LDAP%20Bind%22%26IDENTTYPE%3D%22LDAP%20Bind% 
2 2 % 2 60RIG INALURL% 3 D% 2 2Bi ndNeptune . html % 2 6GET % 
26192. 168 .36.2 17%26pluto. interdyn . com%2 680 %2 60% 
22%2 6SUBMITl%3D%22Log%20in%22%26USER%3D%22fred% 
22%26UserName%3D%22cn%3Df red%2Cou%3DQA%2Cou% 
3DEngineering%2Co%3DIDI%22&EXPIRES=Thu%2C% 
2008-Jun-2000%2000 : 28 : 4 l%20GMT&cn=f red& 
facsimileTelephoneNumber=805-666-5563& 
initials=ddf & mail=f red@ interdyn. com&objectClass=top& 
objectClass=person&objectClass=organizationalPerson& 
objectClass=inetOrgPerson&roomNumber=2217&sn=user& 
telephoneNumber=805-652-254 4&uid=f red& 
NONCE=f+7KBJmHR6/XWCTmREhmnQ& 5305 
SIG=qd0ZLcPBjMiPbGlR7C7urAXad2Q; 5307 
EXPIRES=Thu, 08-Jun-2000 00:28:41 GMT; 
V MAX-AGE=960424121; 
IdentitylsValid = Y 5309 
Is Allowed - Y 5311 
ReasonCode = 116 
MaybeList = 5313 
CookieModified = Y 
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Query '«m app 5403 



Result to app 5405 



VOB Service 5407 



Info source 
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j Virtual row 
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Constructed row 
5417 corresponding 
to 

virtual row 5413l(i) 
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Virtual row 
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Virtual relational 
database table 
5411 



